I have been able to produce a SARIF scan report for a Docker image using the Mend CLI and I was also able to publish it to Github Advanced Security. I was under the impression that this Mend CLI would also be able to publish the results to Mend, but I can't see how exactly.
My user has product admin privileges.
I have the following Github workflow:
name: Publish Docker image
on:
workflow_call:
inputs:
image_name:
description: 'Docker image name'
default: ${{ github.event.repository.name }}
type: string
tag:
description: 'Release tag version'
required: true
type: string
tag_latest:
description: 'Tag as latest version?'
default: true
required: false
type: boolean
tag_minimal:
default: ""
description: 'Minimal supported tag version'
required: false
type: string
env:
REGISTRY: docker.foo.corp
permissions:
actions: write
contents: write
security-events: write
jobs:
tag:
name: Tag & Release
runs-on: [self-hosted, myrunners]
container:
image: mydockerimg.foo.corp/ci-base:1.0.4
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ github.head_ref }}
fetch-depth: 0
- name: Set Git Config
run: |
git config --local user.email "someuser@foo.corp"
git config --local user.name someuser"
- name: Tag latest commit
run: git tag ${{ inputs.tag }}
- name: Push changes
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: ${{ github.ref }}
tags: true
publish-image:
name: Publish Image
runs-on: [self-hosted, myrunner]
needs: tag
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Uses the `docker/login-action` action to log in to the Container registry using the account and password that
# will publish the packages. Once published, the packages are scoped to the account defined here.
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Add certificate to the builder
run: |
BUILDX_CONTAINER_ID=$(docker ps -aqf "name=${{ steps.setup-buildx-action.outputs.name }}")
docker cp /usr/local/share/ca-certificates/some.crt $BUILDX_CONTAINER_ID:/usr/local/share/ca-certificates
docker exec $BUILDX_CONTAINER_ID update-ca-certificates
# This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and
# labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be
# referenced in a subsequent step. The `images` value provides the base name for the tags and labels.
- name: Extract metadata (tags, labels)
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ inputs.image_name }}
tags: type=raw,value=${{ inputs.tag }}
# This step uses the `docker/build-push-action` action to build the image, based on your repository's
# `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
# It uses the `context` parameter to define the build's context as the set of files located in the specified path.
# For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the
# `docker/build-push-action` repository.
# It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
- name: Build and push Docker image
uses: docker/build-push-action@v5
with:
cache-from: type=gha
cache-to: type=gha,mode=max
context: .
file: ./Dockerfile
push: true
tags: |
${{ steps.meta.outputs.tags }}
${{ inputs.tag_latest == true && format('{0}/{1}:latest', env.REGISTRY, inputs.image_name) || '' }}
${{ inputs.tag_minimal != '' && format('{0}/{1}:{2}', env.REGISTRY, inputs.image_name, inputs.tag_minimal)|| '' }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64
build-args: |
BUILDTIME=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
REVISION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
- name: Download Mend CLI & Run a Scan
run: |
export MEND_URL=${{ secrets.MEND_URL }}
export MEND_ORGANIZATION=${{ secrets.MEND_ORGANIZATION }}
export MEND_USER_KEY=${{ secrets.MEND_USER_KEY }}
export MEND_EMAIL=${{ secrets.MEND_EMAIL }}
curl https://downloads.mend.io/cli/linux_amd64/mend -o /tmp/mend && chmod +x /tmp/mend
/tmp/mend auth info --non-interactive
/tmp/mend image ${{ env.REGISTRY }}/${{ inputs.image_name }}:${{ inputs.tag }} --format sarif --filename results.sarif --local-pull
- name: Upload sarif
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
I have been reading through the documentation, but the Github integration seems to not be very well documented in this regard.
What do I need to execute now in order to publish this to Mend?
Is there a Github action that can be used to check pull requests and add comments with findings like such exist for Checkmarx One, for example?
From what I've seen, currently only organization-level admins can upload Docker image scan results to the Mend webapp. A product-level admin permission is not going to be enough.